Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 03:48
Behavioral task
behavioral1
Sample
0x000700000002320d-976.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0x000700000002320d-976.exe
Resource
win10v2004-20231215-en
General
-
Target
0x000700000002320d-976.exe
-
Size
1.6MB
-
MD5
32482344f0d985670f8d87c463d732c4
-
SHA1
9653d6f4282f0aaa0e22d454a72264f3287a1dfd
-
SHA256
8bea801f9e9bb34de95156473919afb32a4a813b81c61b1e20374c5ab0ff010a
-
SHA512
6060807aca6cd7dd996b46e20ac2e7c8a527f61b45880afd26fdcab736c1203e8903865e41e635bf8083c0ddc981e7e121773616c19aec03e3ca3ff5548ee7c4
-
SSDEEP
49152:vkTq24GjdGSiqkqXfd+/9AqYanieKdsG:v1EjdGSiqkqXf0FLYW
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
0x000700000002320d-976.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000700000002320d-976.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000700000002320d-976.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000700000002320d-976.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 icanhazip.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3964 1620 WerFault.exe 0x000700000002320d-976.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0x000700000002320d-976.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 0x000700000002320d-976.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 0x000700000002320d-976.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
0x000700000002320d-976.exepid process 1620 0x000700000002320d-976.exe 1620 0x000700000002320d-976.exe 1620 0x000700000002320d-976.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0x000700000002320d-976.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1620 0x000700000002320d-976.exe Token: SeSecurityPrivilege 3612 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0x000700000002320d-976.execmd.execmd.exedescription pid process target process PID 1620 wrote to memory of 1148 1620 0x000700000002320d-976.exe cmd.exe PID 1620 wrote to memory of 1148 1620 0x000700000002320d-976.exe cmd.exe PID 1620 wrote to memory of 1148 1620 0x000700000002320d-976.exe cmd.exe PID 1148 wrote to memory of 3264 1148 cmd.exe chcp.com PID 1148 wrote to memory of 3264 1148 cmd.exe chcp.com PID 1148 wrote to memory of 3264 1148 cmd.exe chcp.com PID 1148 wrote to memory of 3588 1148 cmd.exe netsh.exe PID 1148 wrote to memory of 3588 1148 cmd.exe netsh.exe PID 1148 wrote to memory of 3588 1148 cmd.exe netsh.exe PID 1148 wrote to memory of 1980 1148 cmd.exe findstr.exe PID 1148 wrote to memory of 1980 1148 cmd.exe findstr.exe PID 1148 wrote to memory of 1980 1148 cmd.exe findstr.exe PID 1620 wrote to memory of 2760 1620 0x000700000002320d-976.exe cmd.exe PID 1620 wrote to memory of 2760 1620 0x000700000002320d-976.exe cmd.exe PID 1620 wrote to memory of 2760 1620 0x000700000002320d-976.exe cmd.exe PID 2760 wrote to memory of 1976 2760 cmd.exe chcp.com PID 2760 wrote to memory of 1976 2760 cmd.exe chcp.com PID 2760 wrote to memory of 1976 2760 cmd.exe chcp.com PID 2760 wrote to memory of 224 2760 cmd.exe netsh.exe PID 2760 wrote to memory of 224 2760 cmd.exe netsh.exe PID 2760 wrote to memory of 224 2760 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
0x000700000002320d-976.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000700000002320d-976.exe -
outlook_win_path 1 IoCs
Processes:
0x000700000002320d-976.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000700000002320d-976.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe"C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3264
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:3588
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 27642⤵
- Program crash
PID:3964 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1976
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 16201⤵PID:1272
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7